40 |
40 |
41 subsubsection{*Introduction rules*} |
41 subsubsection{*Introduction rules*} |
42 |
42 |
43 text{* We start with a really trivial toy proof to introduce the basic |
43 text{* We start with a really trivial toy proof to introduce the basic |
44 features of structured proofs. *} |
44 features of structured proofs. *} |
45 |
|
46 lemma "A \<longrightarrow> A" |
45 lemma "A \<longrightarrow> A" |
47 proof (rule impI) |
46 proof (rule impI) |
48 assume a: "A" |
47 assume a: "A" |
49 show "A" by(rule a) |
48 show "A" by(rule a) |
50 qed |
49 qed |
51 |
|
52 text{*\noindent |
50 text{*\noindent |
53 The operational reading: the \isakeyword{assume}-\isakeyword{show} block |
51 The operational reading: the \isakeyword{assume}-\isakeyword{show} block |
54 proves @{prop"A \<Longrightarrow> A"}, |
52 proves @{prop"A \<Longrightarrow> A"}, |
55 which rule @{thm[source]impI} turns into the desired @{prop"A \<longrightarrow> A"}. |
53 which rule @{thm[source]impI} turns into the desired @{prop"A \<longrightarrow> A"}. |
56 However, this text is much too detailled for comfort. Therefore Isar |
54 However, this text is much too detailled for comfort. Therefore Isar |
69 qed |
67 qed |
70 |
68 |
71 text{* Trivial proofs, in particular those by assumption, should be trivial |
69 text{* Trivial proofs, in particular those by assumption, should be trivial |
72 to perform. Method ``.'' does just that (and a bit more --- see later). Thus |
70 to perform. Method ``.'' does just that (and a bit more --- see later). Thus |
73 naming of assumptions is often superfluous: *} |
71 naming of assumptions is often superfluous: *} |
74 |
|
75 lemma "A \<longrightarrow> A" |
72 lemma "A \<longrightarrow> A" |
76 proof |
73 proof |
77 assume "A" |
74 assume "A" |
78 show "A" . |
75 show "A" . |
79 qed |
76 qed |
80 |
77 |
81 text{* To hide proofs by assumption further, \isakeyword{by}@{text"(method)"} |
78 text{* To hide proofs by assumption further, \isakeyword{by}@{text"(method)"} |
82 first applies @{text method} and then tries to solve all remaining subgoals |
79 first applies @{text method} and then tries to solve all remaining subgoals |
83 by assumption: *} |
80 by assumption: *} |
84 |
|
85 lemma "A \<longrightarrow> A \<and> A" |
81 lemma "A \<longrightarrow> A \<and> A" |
86 proof |
82 proof |
87 assume A |
83 assume A |
88 show "A \<and> A" by(rule conjI) |
84 show "A \<and> A" by(rule conjI) |
89 qed |
85 qed |
90 |
|
91 text{*\noindent A drawback of these implicit proofs by assumption is that it |
86 text{*\noindent A drawback of these implicit proofs by assumption is that it |
92 is no longer obvious where an assumption is used. |
87 is no longer obvious where an assumption is used. |
93 |
88 |
94 Proofs of the form \isakeyword{by}@{text"(rule"}~\emph{name}@{text")"} can be |
89 Proofs of the form \isakeyword{by}@{text"(rule"}~\emph{name}@{text")"} can be |
95 abbreviated to ``..'' |
90 abbreviated to ``..'' |
111 |
105 |
112 text{*A typical elimination rule is @{thm[source]conjE}, $\land$-elimination: |
106 text{*A typical elimination rule is @{thm[source]conjE}, $\land$-elimination: |
113 @{thm[display,indent=5]conjE[no_vars]} In the following proof it is applied |
107 @{thm[display,indent=5]conjE[no_vars]} In the following proof it is applied |
114 by hand, after its first (``\emph{major}'') premise has been eliminated via |
108 by hand, after its first (``\emph{major}'') premise has been eliminated via |
115 @{text"[OF AB]"}: *} |
109 @{text"[OF AB]"}: *} |
116 |
|
117 lemma "A \<and> B \<longrightarrow> B \<and> A" |
110 lemma "A \<and> B \<longrightarrow> B \<and> A" |
118 proof |
111 proof |
119 assume AB: "A \<and> B" |
112 assume AB: "A \<and> B" |
120 show "B \<and> A" |
113 show "B \<and> A" |
121 proof (rule conjE[OF AB]) -- {*@{prop"(A \<Longrightarrow> B \<Longrightarrow> R) \<Longrightarrow> R"}*} |
114 proof (rule conjE[OF AB]) -- {*@{prop"(A \<Longrightarrow> B \<Longrightarrow> R) \<Longrightarrow> R"}*} |
122 assume A and B |
115 assume A and B |
123 show ?thesis .. |
116 show ?thesis .. |
124 qed |
117 qed |
125 qed |
118 qed |
126 |
|
127 text{*\noindent Note that the term @{text"?thesis"} always stands for the |
119 text{*\noindent Note that the term @{text"?thesis"} always stands for the |
128 ``current goal'', i.e.\ the enclosing \isakeyword{show} (or |
120 ``current goal'', i.e.\ the enclosing \isakeyword{show} (or |
129 \isakeyword{have}). |
121 \isakeyword{have}). |
130 |
122 |
131 This is too much proof text. Elimination rules should be selected |
123 This is too much proof text. Elimination rules should be selected |
157 such that the proof of each proposition builds on the previous proposition. |
149 such that the proof of each proposition builds on the previous proposition. |
158 \end{quote} |
150 \end{quote} |
159 The previous proposition can be referred to via the fact @{text this}. |
151 The previous proposition can be referred to via the fact @{text this}. |
160 This greatly reduces the need for explicit naming of propositions: |
152 This greatly reduces the need for explicit naming of propositions: |
161 *} |
153 *} |
162 |
|
163 lemma "A \<and> B \<longrightarrow> B \<and> A" |
154 lemma "A \<and> B \<longrightarrow> B \<and> A" |
164 proof |
155 proof |
165 assume "A \<and> B" |
156 assume "A \<and> B" |
166 from this show "B \<and> A" |
157 from this show "B \<and> A" |
167 proof |
158 proof |
174 A final simplification: \isakeyword{from}~@{text this} can be |
165 A final simplification: \isakeyword{from}~@{text this} can be |
175 abbreviated to \isakeyword{thus}. |
166 abbreviated to \isakeyword{thus}. |
176 \medskip |
167 \medskip |
177 |
168 |
178 Here is an alternative proof that operates purely by forward reasoning: *} |
169 Here is an alternative proof that operates purely by forward reasoning: *} |
179 |
|
180 lemma "A \<and> B \<longrightarrow> B \<and> A" |
170 lemma "A \<and> B \<longrightarrow> B \<and> A" |
181 proof |
171 proof |
182 assume ab: "A \<and> B" |
172 assume ab: "A \<and> B" |
183 from ab have a: A .. |
173 from ab have a: A .. |
184 from ab have b: B .. |
174 from ab have b: B .. |
185 from b a show "B \<and> A" .. |
175 from b a show "B \<and> A" .. |
186 qed |
176 qed |
187 |
|
188 text{*\noindent |
177 text{*\noindent |
189 It is worth examining this text in detail because it exhibits a number of new features. |
178 It is worth examining this text in detail because it exhibits a number of new features. |
190 |
179 |
191 For a start, this is the first time we have proved intermediate propositions |
180 For a start, this is the first time we have proved intermediate propositions |
192 (\isakeyword{have}) on the way to the final \isakeyword{show}. This is the |
181 (\isakeyword{have}) on the way to the final \isakeyword{show}. This is the |
244 qed |
233 qed |
245 qed |
234 qed |
246 qed |
235 qed |
247 qed |
236 qed |
248 qed; |
237 qed; |
249 |
|
250 text{*\noindent Apart from demonstrating the strangeness of classical |
238 text{*\noindent Apart from demonstrating the strangeness of classical |
251 arguments by contradiction, this example also introduces a new language |
239 arguments by contradiction, this example also introduces a new language |
252 feature to deal with multiple subgoals: \isakeyword{next}. When showing |
240 feature to deal with multiple subgoals: \isakeyword{next}. When showing |
253 @{term"A \<and> B"} we need to show both @{term A} and @{term B}. Each subgoal |
241 @{term"A \<and> B"} we need to show both @{term A} and @{term B}. Each subgoal |
254 is proved separately, in \emph{any} order. The individual proofs are |
242 is proved separately, in \emph{any} order. The individual proofs are |
257 subsection{*Avoiding duplication*} |
245 subsection{*Avoiding duplication*} |
258 |
246 |
259 text{* So far our examples have been a bit unnatural: normally we want to |
247 text{* So far our examples have been a bit unnatural: normally we want to |
260 prove rules expressed with @{text"\<Longrightarrow>"}, not @{text"\<longrightarrow>"}. Here is an example: |
248 prove rules expressed with @{text"\<Longrightarrow>"}, not @{text"\<longrightarrow>"}. Here is an example: |
261 *} |
249 *} |
262 |
|
263 lemma "(A \<Longrightarrow> False) \<Longrightarrow> \<not> A" |
250 lemma "(A \<Longrightarrow> False) \<Longrightarrow> \<not> A" |
264 proof |
251 proof |
265 assume "A \<Longrightarrow> False" "A" |
252 assume "A \<Longrightarrow> False" "A" |
266 thus False . |
253 thus False . |
267 qed |
254 qed |
268 |
|
269 text{*\noindent The \isakeyword{proof} always works on the conclusion, |
255 text{*\noindent The \isakeyword{proof} always works on the conclusion, |
270 @{prop"\<not>A"} in our case, thus selecting $\neg$-introduction. Hence we can |
256 @{prop"\<not>A"} in our case, thus selecting $\neg$-introduction. Hence we can |
271 additionally assume @{prop"A"}. Why does ``.'' prove @{prop False}? Because |
257 additionally assume @{prop"A"}. Why does ``.'' prove @{prop False}? Because |
272 ``.'' tries any of the assumptions, including proper rules (here: @{prop"A \<Longrightarrow> |
258 ``.'' tries any of the assumptions, including proper rules (here: @{prop"A \<Longrightarrow> |
273 False"}), such that all of its premises can be solved directly by some other |
259 False"}), such that all of its premises can be solved directly by some other |
281 (is "(?P \<Longrightarrow> _) \<Longrightarrow> _") |
267 (is "(?P \<Longrightarrow> _) \<Longrightarrow> _") |
282 proof |
268 proof |
283 assume "?P \<Longrightarrow> False" ?P |
269 assume "?P \<Longrightarrow> False" ?P |
284 thus False . |
270 thus False . |
285 qed |
271 qed |
286 |
|
287 text{*\noindent Any formula may be followed by |
272 text{*\noindent Any formula may be followed by |
288 @{text"("}\isakeyword{is}~\emph{pattern}@{text")"} which causes the pattern |
273 @{text"("}\isakeyword{is}~\emph{pattern}@{text")"} which causes the pattern |
289 to be matched against the formula, instantiating the @{text"?"}-variables in |
274 to be matched against the formula, instantiating the @{text"?"}-variables in |
290 the pattern. Subsequent uses of these variables in other terms simply causes |
275 the pattern. Subsequent uses of these variables in other terms simply causes |
291 them to be replaced by the terms they stand for. |
276 them to be replaced by the terms they stand for. |
320 next |
304 next |
321 assume B show ?thesis .. |
305 assume B show ?thesis .. |
322 qed |
306 qed |
323 qed |
307 qed |
324 |
308 |
|
309 |
325 subsection{*Predicate calculus*} |
310 subsection{*Predicate calculus*} |
326 |
311 |
327 text{* Command \isakeyword{fix} introduces new local variables into a |
312 text{* Command \isakeyword{fix} introduces new local variables into a |
328 proof. It corresponds to @{text"\<And>"} (the universal quantifier at the |
313 proof. It corresponds to @{text"\<And>"} (the universal quantifier at the |
329 meta-level) just like \isakeyword{assume}-\isakeyword{show} corresponds to |
314 meta-level) just like \isakeyword{assume}-\isakeyword{show} corresponds to |
330 @{text"\<Longrightarrow>"}. Here is a sample proof, annotated with the rules that are |
315 @{text"\<Longrightarrow>"}. Here is a sample proof, annotated with the rules that are |
331 applied implictly: *} |
316 applied implictly: *} |
332 |
|
333 lemma assumes P: "\<forall>x. P x" shows "\<forall>x. P(f x)" |
317 lemma assumes P: "\<forall>x. P x" shows "\<forall>x. P(f x)" |
334 proof -- "@{thm[source]allI}: @{thm allI[no_vars]}" |
318 proof -- "@{thm[source]allI}: @{thm allI[no_vars]}" |
335 fix a |
319 fix a |
336 from P show "P(f a)" .. --"@{thm[source]allE}: @{thm allE[no_vars]}" |
320 from P show "P(f a)" .. --"@{thm[source]allE}: @{thm allE[no_vars]}" |
337 qed |
321 qed |
338 |
|
339 text{*\noindent Note that in the proof we have chosen to call the bound |
322 text{*\noindent Note that in the proof we have chosen to call the bound |
340 variable @{term a} instead of @{term x} merely to show that the choice of |
323 variable @{term a} instead of @{term x} merely to show that the choice of |
341 names is irrelevant. |
324 names is irrelevant. |
342 |
325 |
343 Next we look at @{text"\<exists>"} which is a bit more tricky. |
326 Next we look at @{text"\<exists>"} which is a bit more tricky. |
350 fix a |
333 fix a |
351 assume "P(f a)" |
334 assume "P(f a)" |
352 show ?thesis .. --"@{thm[source]exI}: @{thm exI[no_vars]}" |
335 show ?thesis .. --"@{thm[source]exI}: @{thm exI[no_vars]}" |
353 qed |
336 qed |
354 qed |
337 qed |
355 |
338 text{*\noindent Explicit $\exists$-elimination as seen above can become |
356 text {*\noindent |
|
357 Explicit $\exists$-elimination as seen above can become |
|
358 cumbersome in practice. The derived Isar language element |
339 cumbersome in practice. The derived Isar language element |
359 \isakeyword{obtain} provides a more handsome way to perform |
340 \isakeyword{obtain} provides a more handsome way to perform generalized |
360 generalized existence reasoning: |
341 existence reasoning: *} |
361 *} |
|
362 |
342 |
363 lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y" |
343 lemma assumes Pf: "\<exists>x. P(f x)" shows "\<exists>y. P y" |
364 proof - |
344 proof - |
365 from Pf obtain a where "P(f a)" .. |
345 from Pf obtain a where "P(f a)" .. |
366 thus "\<exists>y. P y" .. |
346 thus "\<exists>y. P y" .. |
367 qed |
347 qed |
368 |
348 text{*\noindent Note how the proof text follows the usual mathematical style |
369 text {*\noindent Note how the proof text follows the usual mathematical style |
|
370 of concluding $P(x)$ from $\exists x. P(x)$, while carefully introducing $x$ |
349 of concluding $P(x)$ from $\exists x. P(x)$, while carefully introducing $x$ |
371 as a new local variable. Technically, \isakeyword{obtain} is similar to |
350 as a new local variable. Technically, \isakeyword{obtain} is similar to |
372 \isakeyword{fix} and \isakeyword{assume} together with a soundness proof of |
351 \isakeyword{fix} and \isakeyword{assume} together with a soundness proof of |
373 the elimination involved. Thus it behaves similar to any other forward proof |
352 the elimination involved. Thus it behaves similar to any other forward proof |
374 element. |
353 element. |
387 |
366 |
388 text{* So far we have confined ourselves to single step proofs. Of course |
367 text{* So far we have confined ourselves to single step proofs. Of course |
389 powerful automatic methods can be used just as well. Here is an example, |
368 powerful automatic methods can be used just as well. Here is an example, |
390 Cantor's theorem that there is no surjective function from a set to its |
369 Cantor's theorem that there is no surjective function from a set to its |
391 powerset: *} |
370 powerset: *} |
392 |
|
393 theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)" |
371 theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)" |
394 proof |
372 proof |
395 let ?S = "{x. x \<notin> f x}" |
373 let ?S = "{x. x \<notin> f x}" |
396 show "?S \<notin> range f" |
374 show "?S \<notin> range f" |
397 proof |
375 proof |
405 assume "y \<notin> ?S" |
383 assume "y \<notin> ?S" |
406 with fy show False by blast |
384 with fy show False by blast |
407 qed |
385 qed |
408 qed |
386 qed |
409 qed |
387 qed |
410 |
|
411 text{*\noindent |
388 text{*\noindent |
412 For a start, the example demonstrates two new language elements: |
389 For a start, the example demonstrates two new language elements: |
413 \begin{itemize} |
390 \begin{itemize} |
414 \item \isakeyword{let} introduces an abbreviation for a term, in our case |
391 \item \isakeyword{let} introduces an abbreviation for a term, in our case |
415 the witness for the claim, because the term occurs multiple times in the proof. |
392 the witness for the claim, because the term occurs multiple times in the proof. |
445 from A have "y \<in> f y" by simp |
422 from A have "y \<in> f y" by simp |
446 with notin show False by contradiction |
423 with notin show False by contradiction |
447 qed |
424 qed |
448 qed |
425 qed |
449 qed |
426 qed |
450 |
427 text{*\noindent Method @{text contradiction} succeeds if both $P$ and |
451 text {*\noindent Method @{text contradiction} succeeds if both $P$ and |
|
452 $\neg P$ are among the assumptions and the facts fed into that step. |
428 $\neg P$ are among the assumptions and the facts fed into that step. |
453 |
429 |
454 As it happens, Cantor's theorem can be proved automatically by best-first |
430 As it happens, Cantor's theorem can be proved automatically by best-first |
455 search. Depth-first search would diverge, but best-first search successfully |
431 search. Depth-first search would diverge, but best-first search successfully |
456 navigates through the large search space: |
432 navigates through the large search space: |
457 *} |
433 *} |
458 |
434 |
459 theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)" |
435 theorem "\<exists>S. S \<notin> range (f :: 'a \<Rightarrow> 'a set)" |
460 by best |
436 by best |
461 |
|
462 text{*\noindent Of course this only works in the context of HOL's carefully |
437 text{*\noindent Of course this only works in the context of HOL's carefully |
463 constructed introduction and elimination rules for set theory. |
438 constructed introduction and elimination rules for set theory. |
464 |
439 |
465 Finally, whole scripts may appear in the leaves of the proof tree, although |
440 Finally, whole scripts may appear in the leaves of the proof tree, although |
466 this is best avoided. Here is a contrived example: *} |
441 this is best avoided. Here is a contrived example: *} |
473 apply(erule impE) |
448 apply(erule impE) |
474 apply(rule a) |
449 apply(rule a) |
475 apply assumption |
450 apply assumption |
476 done |
451 done |
477 qed |
452 qed |
478 |
|
479 text{*\noindent You may need to resort to this technique if an automatic step |
453 text{*\noindent You may need to resort to this technique if an automatic step |
480 fails to prove the desired proposition. *} |
454 fails to prove the desired proposition. *} |
481 |
455 |
482 |
|
483 section{*Case distinction and induction*} |
456 section{*Case distinction and induction*} |
484 |
457 |
485 |
458 |
486 subsection{*Case distinction*} |
459 subsection{*Case distinction*} |
487 |
460 |
488 text{* We have already met the @{text cases} method for performing |
461 text{* We have already met the @{text cases} method for performing |
489 binary case splits. Here is another example: *} |
462 binary case splits. Here is another example: *} |
490 |
|
491 lemma "P \<or> \<not> P" |
463 lemma "P \<or> \<not> P" |
492 proof cases |
464 proof cases |
493 assume "P" thus ?thesis .. |
465 assume "P" thus ?thesis .. |
494 next |
466 next |
495 assume "\<not> P" thus ?thesis .. |
467 assume "\<not> P" thus ?thesis .. |
496 qed |
468 qed |
497 |
|
498 text{*\noindent As always, the cases can be tackled in any order. |
469 text{*\noindent As always, the cases can be tackled in any order. |
499 |
470 |
500 This form is appropriate if @{term P} is textually small. However, if |
471 This form is appropriate if @{term P} is textually small. However, if |
501 @{term P} is large, we don't want to repeat it. This can be avoided by |
472 @{term P} is large, we don't want to repeat it. This can be avoided by |
502 the following idiom *} |
473 the following idiom *} |
505 proof (cases "P") |
476 proof (cases "P") |
506 case True thus ?thesis .. |
477 case True thus ?thesis .. |
507 next |
478 next |
508 case False thus ?thesis .. |
479 case False thus ?thesis .. |
509 qed |
480 qed |
510 |
|
511 text{*\noindent which is simply a shorthand for the previous |
481 text{*\noindent which is simply a shorthand for the previous |
512 proof. More precisely, the phrases \isakeyword{case}~@{prop |
482 proof. More precisely, the phrases \isakeyword{case}~@{prop |
513 True}/@{prop False} abbreviate the corresponding assumptions @{prop P} |
483 True}/@{prop False} abbreviate the corresponding assumptions @{prop P} |
514 and @{prop"\<not>P"}. |
484 and @{prop"\<not>P"}. |
515 |
485 |
516 The same game can be played with other datatypes, for example lists: |
486 The same game can be played with other datatypes, for example lists: |
517 *} |
487 *} |
|
488 |
518 (*<*)declare length_tl[simp del](*>*) |
489 (*<*)declare length_tl[simp del](*>*) |
|
490 |
519 lemma "length(tl xs) = length xs - 1" |
491 lemma "length(tl xs) = length xs - 1" |
520 proof (cases xs) |
492 proof (cases xs) |
521 case Nil thus ?thesis by simp |
493 case Nil thus ?thesis by simp |
522 next |
494 next |
523 case Cons thus ?thesis by simp |
495 case Cons thus ?thesis by simp |
524 qed |
496 qed |
525 |
|
526 text{*\noindent Here \isakeyword{case}~@{text Nil} abbreviates |
497 text{*\noindent Here \isakeyword{case}~@{text Nil} abbreviates |
527 \isakeyword{assume}~@{prop"x = []"} and \isakeyword{case}~@{text Cons} |
498 \isakeyword{assume}~@{prop"x = []"} and \isakeyword{case}~@{text Cons} |
528 abbreviates \isakeyword{assume}~@{text"xs = _ # _"}. The names of the head |
499 abbreviates \isakeyword{assume}~@{text"xs = _ # _"}. The names of the head |
529 and tail of @{text xs} have been chosen by the system. Therefore we cannot |
500 and tail of @{text xs} have been chosen by the system. Therefore we cannot |
530 refer to them (this would lead to brittle proofs) and have not even shown |
501 refer to them (this would lead to brittle proofs) and have not even shown |
542 case (Cons y ys) |
513 case (Cons y ys) |
543 hence "length(tl xs) = length ys \<and> length xs = length ys + 1" |
514 hence "length(tl xs) = length ys \<and> length xs = length ys + 1" |
544 by simp |
515 by simp |
545 thus ?thesis by simp |
516 thus ?thesis by simp |
546 qed |
517 qed |
547 |
|
548 text{* New case distincion rules can be declared any time, even with |
518 text{* New case distincion rules can be declared any time, even with |
549 named cases. *} |
519 named cases. *} |
550 |
520 |
551 |
|
552 subsection{*Induction*} |
521 subsection{*Induction*} |
553 |
522 |
554 |
523 |
555 subsubsection{*Structural induction*} |
524 subsubsection{*Structural induction*} |
556 |
525 |
557 text{* We start with a simple inductive proof where both cases are proved automatically: *} |
526 text{* We start with a simple inductive proof where both cases are proved automatically: *} |
558 |
|
559 lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" |
527 lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" |
560 by (induct n, simp_all) |
528 by (induct n, simp_all) |
561 |
529 |
562 text{*\noindent If we want to expose more of the structure of the |
530 text{*\noindent If we want to expose more of the structure of the |
563 proof, we can use pattern matching to avoid having to repeat the goal |
531 proof, we can use pattern matching to avoid having to repeat the goal |
564 statement: *} |
532 statement: *} |
565 |
|
566 lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" (is "?P n") |
533 lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" (is "?P n") |
567 proof (induct n) |
534 proof (induct n) |
568 show "?P 0" by simp |
535 show "?P 0" by simp |
569 next |
536 next |
570 fix n assume "?P n" |
537 fix n assume "?P n" |
572 qed |
539 qed |
573 |
540 |
574 text{* \noindent We could refine this further to show more of the equational |
541 text{* \noindent We could refine this further to show more of the equational |
575 proof. Instead we explore the same avenue as for case distinctions: |
542 proof. Instead we explore the same avenue as for case distinctions: |
576 introducing context via the \isakeyword{case} command: *} |
543 introducing context via the \isakeyword{case} command: *} |
577 |
|
578 lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" |
544 lemma "2 * (\<Sum>i<n+1. i) = n*(n+1)" |
579 proof (induct n) |
545 proof (induct n) |
580 case 0 show ?case by simp |
546 case 0 show ?case by simp |
581 next |
547 next |
582 case Suc thus ?case by simp |
548 case Suc thus ?case by simp |
588 empty whereas \isakeyword{case}~@{text Suc} assumes @{text"?P n"}. Again we |
554 empty whereas \isakeyword{case}~@{text Suc} assumes @{text"?P n"}. Again we |
589 have the same problem as with case distinctions: we cannot refer to @{term n} |
555 have the same problem as with case distinctions: we cannot refer to @{term n} |
590 in the induction step because it has not been introduced via \isakeyword{fix} |
556 in the induction step because it has not been introduced via \isakeyword{fix} |
591 (in contrast to the previous proof). The solution is the same as above: |
557 (in contrast to the previous proof). The solution is the same as above: |
592 replace @{term Suc} by @{text"(Suc i)"}: *} |
558 replace @{term Suc} by @{text"(Suc i)"}: *} |
593 |
|
594 lemma fixes n::nat shows "n < n*n + 1" |
559 lemma fixes n::nat shows "n < n*n + 1" |
595 proof (induct n) |
560 proof (induct n) |
596 case 0 show ?case by simp |
561 case 0 show ?case by simp |
597 next |
562 next |
598 case (Suc i) thus "Suc i < Suc i * Suc i + 1" by simp |
563 case (Suc i) thus "Suc i < Suc i * Suc i + 1" by simp |
604 |
569 |
605 Let us now tackle a more ambitious lemma: proving complete induction |
570 Let us now tackle a more ambitious lemma: proving complete induction |
606 @{prop[display,indent=5]"(\<And>n. (\<And>m. m < n \<Longrightarrow> P m) \<Longrightarrow> P n) \<Longrightarrow> P n"} |
571 @{prop[display,indent=5]"(\<And>n. (\<And>m. m < n \<Longrightarrow> P m) \<Longrightarrow> P n) \<Longrightarrow> P n"} |
607 via structural induction. It is well known that one needs to prove |
572 via structural induction. It is well known that one needs to prove |
608 something more general first: *} |
573 something more general first: *} |
609 |
|
610 lemma cind_lemma: |
574 lemma cind_lemma: |
611 assumes A: "(\<And>n. (\<And>m. m < n \<Longrightarrow> P m) \<Longrightarrow> P n)" |
575 assumes A: "(\<And>n. (\<And>m. m < n \<Longrightarrow> P m) \<Longrightarrow> P n)" |
612 shows "\<And>m. m < n \<Longrightarrow> P(m::nat)" |
576 shows "\<And>m. m < n \<Longrightarrow> P(m::nat)" |
613 proof (induct n) |
577 proof (induct n) |
614 case 0 thus ?case by simp |
578 case 0 thus ?case by simp |
623 assume neq: "m \<noteq> n" |
587 assume neq: "m \<noteq> n" |
624 with Suc have "m < n" by simp |
588 with Suc have "m < n" by simp |
625 with Suc show "P m" by blast |
589 with Suc show "P m" by blast |
626 qed |
590 qed |
627 qed |
591 qed |
628 |
|
629 text{* \noindent Let us first examine the statement of the lemma. |
592 text{* \noindent Let us first examine the statement of the lemma. |
630 In contrast to the style advertized in the |
593 In contrast to the style advertized in the |
631 Tutorial~\cite{LNCS2283}, structured Isar proofs do not need to |
594 Tutorial~\cite{LNCS2283}, structured Isar proofs do not need to |
632 introduce @{text"\<forall>"} or @{text"\<longrightarrow>"} into a theorem to strengthen it |
595 introduce @{text"\<forall>"} or @{text"\<longrightarrow>"} into a theorem to strengthen it |
633 for induction --- we use @{text"\<And>"} and @{text"\<Longrightarrow>"} instead. This |
596 for induction --- we use @{text"\<And>"} and @{text"\<Longrightarrow>"} instead. This |
653 |
616 |
654 subsubsection{*Rule induction*} |
617 subsubsection{*Rule induction*} |
655 |
618 |
656 text{* We define our own version of reflexive transitive closure of a |
619 text{* We define our own version of reflexive transitive closure of a |
657 relation *} |
620 relation *} |
658 |
|
659 consts rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999) |
621 consts rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999) |
660 inductive "r*" |
622 inductive "r*" |
661 intros |
623 intros |
662 refl: "(x,x) \<in> r*" |
624 refl: "(x,x) \<in> r*" |
663 step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*" |
625 step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*" |
664 |
626 |
665 text{* \noindent and prove that @{term"r*"} is indeed transitive: *} |
627 text{* \noindent and prove that @{term"r*"} is indeed transitive: *} |
666 |
628 lemma assumes A: "(x,y) \<in> r*" |
|
629 shows "(y,z) \<in> r* \<Longrightarrow> (x,z) \<in> r*" (is "PROP ?P x y") |
|
630 using A |
|
631 proof induct |
|
632 case refl thus ?case . |
|
633 next |
|
634 case step thus ?case by(blast intro: rtc.step) |
|
635 qed |
|
636 (* |
667 lemma assumes A: "(x,y) \<in> r*" |
637 lemma assumes A: "(x,y) \<in> r*" |
668 shows "(y,z) \<in> r* \<Longrightarrow> (x,z) \<in> r*" (is "PROP ?P x y") |
638 shows "(y,z) \<in> r* \<Longrightarrow> (x,z) \<in> r*" (is "PROP ?P x y") |
669 proof - |
639 proof - |
670 from A show "PROP ?P x y" |
640 from A show "PROP ?P x y" |
671 proof induct |
641 proof induct |
672 fix x show "PROP ?P x x" . |
642 fix x show "PROP ?P x x" . |
673 next |
643 next |
674 fix x' x y |
644 fix x' x y |
675 assume "(x',x) \<in> r" and |
645 assume "(x',x) \<in> r" |
676 "PROP ?P x y" -- "The induction hypothesis" |
646 "PROP ?P x y" -- "induction hypothesis" |
677 thus "PROP ?P x' y" by(blast intro: rtc.step) |
647 thus "PROP ?P x' y" by(blast intro: rtc.step) |
678 qed |
648 qed |
679 qed |
649 qed |
680 |
650 *) |
681 text{*\noindent Rule induction is triggered by a fact $(x_1,\dots,x_n) \in R$ |
651 text{*\noindent Rule induction is triggered by a fact $(x_1,\dots,x_n) \in R$ |
682 piped into the proof, here \isakeyword{from}~@{text A}. The proof itself |
652 piped into the proof, here \isakeyword{from}~@{text A}. The proof itself |
683 follows the two rules of the inductive definition very closely. The only |
653 follows the two rules of the inductive definition very closely. The only |
684 surprising thing should be the keyword @{text PROP}: because of certain |
654 surprising thing should be the keyword @{text PROP}: because of certain |
685 syntactic subleties it is required in front of terms of type @{typ prop} (the |
655 syntactic subleties it is required in front of terms of type @{typ prop} (the |